Cyber Insurance Readiness Checklist

TL;DR: Cyber insurance underwriters have significantly tightened their requirements since 2021. Businesses that cannot demonstrate minimum security controls are either declined or quoted prohibitive premiums. This checklist covers the 20+ controls that underwriters now consider standard requirements — not differentiators, but baseline expectations.

The Cyber Insurance Landscape Has Changed

Before 2020, cyber insurance was relatively easy to obtain for SMBs. Applications asked basic questions, premiums were reasonable, and claims were paid without significant scrutiny of the insured’s security posture.

The wave of ransomware attacks from 2020 onwards changed this. Insurers paid out billions in claims, recalibrated their risk models, and implemented much stricter underwriting criteria. Businesses that cannot demonstrate basic security controls are now declined, or quoted premiums that are multiples of what they would have paid four years ago.

The consequence for Australian SMBs: if you apply for cyber insurance without having your security house in order, you will either be denied or significantly overpay. And if you are approved but your security controls do not match your application, a claim may be denied.

This checklist covers what underwriters are now asking for — and what you need to have in place to be considered a good risk.

Section 1: Identity and Access Management

These are now considered baseline requirements by most cyber underwriters. Absence of any of these will typically result in increased premiums or application decline.

• Multi-factor authentication on email: All users have MFA enabled on their email accounts (Microsoft 365, Google Workspace). This is the single most commonly asked underwriting question.
• MFA on remote access: VPN, Remote Desktop, and any remote access tools require MFA. RDP exposed to the internet without MFA is a specific exclusion trigger.
• MFA on privileged accounts: Administrator accounts have MFA enforced — separate from day-to-day accounts.
• Privileged access management: Administrator access is documented, reviewed regularly, and limited to those who need it. No shared admin accounts.
• Offboarding process: Former employee accounts are disabled promptly (within 24 hours of departure). This is asked on most applications.
• Password policy documented and enforced: Minimum length requirements, prohibition on reuse, and MFA requirements are documented in a written policy.

Underwriter concern: Credential compromise is the primary initial access vector in ransomware attacks. MFA on email alone stops the majority of account takeover attacks. Underwriters treat absence of MFA as a fundamental risk factor.

Section 2: Endpoint and Network Security

• Endpoint Detection and Response (EDR): All endpoints (workstations, laptops, servers) have EDR installed — not just traditional antivirus. EDR detects behaviour-based attacks that signature antivirus misses. Underwriters increasingly distinguish between antivirus and EDR.
• Endpoint protection managed centrally: Endpoint protection is managed via a central console, not installed ad-hoc. Gaps (unprotected devices) are visible and acted on.
• Patch management process documented: Operating systems and applications are patched on a defined schedule. Critical patches are applied within 14–30 days of release.
• Operating systems are supported: No end-of-life operating systems in production (Windows 7, Windows 8, Windows Server 2008/2012 are specific red flags).
• Remote Desktop Protocol (RDP) not exposed to internet: RDP is either disabled, protected by MFA, or only accessible via VPN. Exposed RDP is explicitly asked about on most applications.
• Network segmentation: Critical servers and data are on network segments separate from general workstations. This limits lateral movement in the event of a breach.
• Firewall maintained and monitored: Business-grade firewall is in place, firmware is current, and logs are reviewed.

Section 3: Backup and Recovery

Underwriters want to know that you can recover without paying a ransom. Poor backup controls are a primary reason for claim denial (insurer argues the loss was preventable).

• Regular backups: All critical data is backed up at minimum daily.
• Offsite/cloud backup: At least one backup copy is stored off-site or in cloud storage — not only on-premise where ransomware can reach it.
• Immutable backups: At least one backup copy is immutable (cannot be deleted or encrypted by ransomware). This is now a specific underwriting question.
• Backup testing: Backups are tested via restore at least annually. An untested backup is not considered a backup by most underwriters.
• Recovery time documented: You have documented how long recovery takes from backup. Underwriters ask about Recovery Time Objective (RTO).
• Microsoft 365 backed up separately: Microsoft 365 data (email, SharePoint, OneDrive) has a dedicated third-party backup solution. Microsoft’s retention policies are not a backup.

Section 4: Security Awareness and Training

• Phishing training conducted: Staff receive annual phishing awareness training at minimum. Simulated phishing (using tools like Microsoft Attack Simulator) is increasingly preferred by underwriters.
• Security policies documented: Acceptable Use Policy, Password Policy, and Incident Response Policy are documented and staff have acknowledged them.
• Incident response plan: A documented incident response plan exists and key staff know where to find it (including a physical printed copy). See Cyber Breach Response Playbook.
• Vendor/third-party risk management: For businesses that share data with third parties: a process exists to assess the security posture of key vendors.

Section 5: Data Governance

• Data inventory: You know what personal information you hold, where it is stored, and who has access.
• Sensitive data identified: Sensitive data categories (health information, financial records, personal identification) are identified and subject to additional controls.
• Data retention policy: A policy exists governing how long data is retained and how it is securely disposed of.
• Privacy Act compliance: If you hold personal information of Australians, you have assessed your Privacy Act 1988 obligations and have a Privacy Policy.

Section 6: The Application Itself

Cyber insurance applications require declaration of security controls. Providing false or inaccurate information — even unintentionally — can void a policy.

Before completing an application:

• Review all questions with your IT provider or managed IT team — they will know the accurate answers
• Do not guess or estimate — inaccurate answers can void coverage
• If you are unsure whether a control is in place, check before asserting that it is
• Document the state of your security controls at the time of application — if a claim is later disputed, your documentation of what was in place at policy inception is your evidence

Common application mistakes:

• Asserting MFA is in place when it is only applied to some users or some systems
• Stating EDR is deployed when only traditional antivirus is installed
• Claiming offsite backups exist when backup copies are on an external drive in the server room
• Not disclosing known vulnerabilities or prior incidents

Improving Your Insurability

If this checklist has identified gaps in your security controls, the good news is that addressing the most critical gaps is typically straightforward with the right IT provider.

Highest-priority improvements (most impact on insurability):

1. MFA on all email accounts and remote access — implement within 1 week
2. EDR on all endpoints — implement within 2 weeks
3. Immutable cloud backup — implement within 2 weeks
4. Block exposed RDP — implement immediately if found

Medium-priority improvements: 5. Operating system lifecycle management — upgrade end-of-life systems 6. Documented and tested incident response plan 7. Annual phishing training for all staff 8. Microsoft 365 third-party backup

For a comprehensive security assessment against cyber insurance requirements, see our Cyber Insurance Guide.

If you want help implementing the controls on this checklist, book a Right Fit Call with CX IT Services. We can assess your current posture and give you a clear roadmap to improve insurability.

For related resources:

• Cyber Breach Response Playbook
• Microsoft 365 Security Baseline Checklist
• Essential Eight Checklist